CWE-400
Uncontrolled Resource Consumption
Description
The product does not properly control the allocation and maintenance of a limited resource.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-147 · CAPEC-227 · CAPEC-492
CVEs mapped to this weakness (1,853)
page 27 of 93| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2018-15399 | Med | 0.44 | 6.8 | 0.02 | Oct 5, 2018 | A vulnerability in the TCP syslog module of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to exhaust the 1550-byte buffers on an affected device, resulting in a denial of service… | ||
| CVE-2018-15396 | Med | 0.44 | 6.8 | 0.02 | Oct 5, 2018 | A vulnerability in the Bulk Administration Tool (BAT) for Cisco Unity Connection could allow an authenticated, remote attacker to cause high disk utilization, resulting in a denial of service (DoS) condition. The vulnerability exists because the affected software does not… | ||
| CVE-2026-34277 | Med | 0.43 | 6.6 | 0.00 | Apr 21, 2026 | Vulnerability in the PeopleSoft Enterprise PeopleTools product of Oracle PeopleSoft (component: Fluid Core). Supported versions that are affected are 8.61-8.62. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise… | ||
| CVE-2023-36799 | Med | 0.43 | 6.5 | 0.05 | Sep 12, 2023 | .NET Core and Visual Studio Denial of Service Vulnerability | ||
| CVE-2022-24713 | Hig | 0.43 | 7.5 | 0.14 | Mar 8, 2022 | regex is an implementation of regular expressions for the Rust language. The regex crate features built-in mitigations to prevent denial of service attacks caused by untrusted regexes, or untrusted input matched by trusted regexes. Those (tunable) mitigations already provide… | ||
| CVE-2018-1157 | Med | 0.43 | 6.5 | 0.04 | Aug 23, 2018 | Mikrotik RouterOS before 6.42.7 and 6.40.9 is vulnerable to a memory exhaustion vulnerability. An authenticated remote attacker can crash the HTTP server and in some circumstances reboot the system via a crafted HTTP POST request. | ||
| CVE-2018-15607 | Med | 0.43 | 6.5 | 0.05 | Aug 21, 2018 | In ImageMagick 7.0.8-11 Q16, a tiny input file 0x50 0x36 0x36 0x36 0x36 0x4c 0x36 0x38 0x36 0x36 0x36 0x36 0x36 0x36 0x1f 0x35 0x50 0x00 can result in a hang of several minutes during which CPU and memory resources are consumed until ultimately an attempted large memory… | ||
| CVE-2012-0881 | Hig | 0.43 | 7.5 | 0.17 | Oct 30, 2017 | Apache Xerces2 Java Parser before 2.12.0 allows remote attackers to cause a denial of service (CPU consumption) via a crafted message to an XML service, which triggers hash table collisions. | ||
| CVE-2016-8734 | Med | 0.43 | 6.5 | 0.06 | Oct 16, 2017 | Apache Subversion's mod_dontdothat module and HTTP clients 1.4.0 through 1.8.16, and 1.9.0 through 1.9.4 are vulnerable to a denial-of-service attack caused by exponential XML entity expansion. The attack can cause the targeted process to consume an excessive amount of CPU… | ||
| CVE-2016-5004 | Med | 0.43 | 6.5 | 0.06 | Jun 6, 2017 | The Content-Encoding HTTP header feature in ws-xmlrpc 3.1.3 as used in Apache Archiva allows remote attackers to cause a denial of service (resource consumption) by decompressing a large file containing zeroes. | ||
| CVE-2016-4055 | Med | 0.43 | 6.5 | 0.10 | Jan 23, 2017 | The duration function in the moment package before 2.11.2 for Node.js allows remote attackers to cause a denial of service (CPU consumption) via a long string, aka a "regular expression Denial of Service (ReDoS)." | ||
| CVE-2016-9310 | Med | 0.43 | 6.5 | 0.11 | Jan 13, 2017 | The control mode (mode 6) functionality in ntpd in NTP before 4.2.8p9 allows remote attackers to set or unset traps via a crafted control mode packet. | ||
| CVE-2026-12151 | imp | 0.42 | 7.5 | 0.01 | Jun 17, 2026 | undici: undici: Denial of Service due to unbounded memory growth via WebSocket frames | ||
| CVE-2026-12325 | Med | 0.42 | 6.5 | 0.00 | Jun 16, 2026 | Denial-of-service in the Graphics: ImageLib component. This vulnerability was fixed in Firefox 152, Firefox ESR 140.12, Firefox ESR 115.37, Thunderbird 152, and Thunderbird 140.12. | ||
| CVE-2026-12319 | Med | 0.42 | 6.5 | 0.00 | Jun 16, 2026 | Denial-of-service in the Audio/Video: Playback component. This vulnerability was fixed in Firefox 152 and Thunderbird 152. | ||
| CVE-2026-39197 | Med | 0.42 | 6.5 | 0.00 | Jun 15, 2026 | An issue in the /util/http/prelude.rs endpoint of Datadog, Inc Vector v0.54.0 allows attackers to cause a Denial of Service (DoS) via a crafted request or payload. | ||
| CVE-2026-5079 | Hig | 0.42 | 7.5 | 0.00 | Jun 15, 2026 | Impact: multer versions 1.0.0 through 2.1.1 and 3.0.0-alpha.1 are vulnerable to a Denial of Service via deeply nested field names in multipart form data. The append-field dependency parses bracket notation in field names with no limit on nesting depth, allowing an attacker to… | ||
| CVE-2026-44496 | Hig | 0.42 | 7.5 | 0.01 | Jun 11, 2026 | Axios is a promise based HTTP client for the browser and Node.js. Axios versions before 0.32.0 on the 0.x line and before 1.16.0 on the 1.x line build a regular expression from the configured XSRF cookie name without escaping regex metacharacters. In standard browser… | ||
| CVE-2026-5497 | Hig | 0.42 | 7.5 | 0.01 | Jun 11, 2026 | vLLM versions 0.8.0 and later are vulnerable to an Out-of-Memory (OOM) Denial of Service (DoS) attack due to unbounded frame count processing in the `VideoMediaIO.load_base64()` method. When processing `video/jpeg` data URLs, the method splits the base64 data string on commas to… | ||
| CVE-2026-46679 | Hig | 0.42 | 7.5 | 0.00 | Jun 10, 2026 | libp2p is a JavaScript Implementation of libp2p networking stack. Prior to version 15.0.23, three cooperating omissions in @libp2p/gossipsub allow an unauthenticated single peer to exhaust the Node.js heap of any gossipsub node with default options. This issue has been patched… |
- risk 0.44cvss 6.8epss 0.02
A vulnerability in the TCP syslog module of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to exhaust the 1550-byte buffers on an affected device, resulting in a denial of service…
- risk 0.44cvss 6.8epss 0.02
A vulnerability in the Bulk Administration Tool (BAT) for Cisco Unity Connection could allow an authenticated, remote attacker to cause high disk utilization, resulting in a denial of service (DoS) condition. The vulnerability exists because the affected software does not…
- risk 0.43cvss 6.6epss 0.00
Vulnerability in the PeopleSoft Enterprise PeopleTools product of Oracle PeopleSoft (component: Fluid Core). Supported versions that are affected are 8.61-8.62. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise…
- risk 0.43cvss 6.5epss 0.05
.NET Core and Visual Studio Denial of Service Vulnerability
- risk 0.43cvss 7.5epss 0.14
regex is an implementation of regular expressions for the Rust language. The regex crate features built-in mitigations to prevent denial of service attacks caused by untrusted regexes, or untrusted input matched by trusted regexes. Those (tunable) mitigations already provide…
- risk 0.43cvss 6.5epss 0.04
Mikrotik RouterOS before 6.42.7 and 6.40.9 is vulnerable to a memory exhaustion vulnerability. An authenticated remote attacker can crash the HTTP server and in some circumstances reboot the system via a crafted HTTP POST request.
- risk 0.43cvss 6.5epss 0.05
In ImageMagick 7.0.8-11 Q16, a tiny input file 0x50 0x36 0x36 0x36 0x36 0x4c 0x36 0x38 0x36 0x36 0x36 0x36 0x36 0x36 0x1f 0x35 0x50 0x00 can result in a hang of several minutes during which CPU and memory resources are consumed until ultimately an attempted large memory…
- risk 0.43cvss 7.5epss 0.17
Apache Xerces2 Java Parser before 2.12.0 allows remote attackers to cause a denial of service (CPU consumption) via a crafted message to an XML service, which triggers hash table collisions.
- risk 0.43cvss 6.5epss 0.06
Apache Subversion's mod_dontdothat module and HTTP clients 1.4.0 through 1.8.16, and 1.9.0 through 1.9.4 are vulnerable to a denial-of-service attack caused by exponential XML entity expansion. The attack can cause the targeted process to consume an excessive amount of CPU…
- risk 0.43cvss 6.5epss 0.06
The Content-Encoding HTTP header feature in ws-xmlrpc 3.1.3 as used in Apache Archiva allows remote attackers to cause a denial of service (resource consumption) by decompressing a large file containing zeroes.
- risk 0.43cvss 6.5epss 0.10
The duration function in the moment package before 2.11.2 for Node.js allows remote attackers to cause a denial of service (CPU consumption) via a long string, aka a "regular expression Denial of Service (ReDoS)."
- risk 0.43cvss 6.5epss 0.11
The control mode (mode 6) functionality in ntpd in NTP before 4.2.8p9 allows remote attackers to set or unset traps via a crafted control mode packet.
- risk 0.42cvss 7.5epss 0.01
undici: undici: Denial of Service due to unbounded memory growth via WebSocket frames
- risk 0.42cvss 6.5epss 0.00
Denial-of-service in the Graphics: ImageLib component. This vulnerability was fixed in Firefox 152, Firefox ESR 140.12, Firefox ESR 115.37, Thunderbird 152, and Thunderbird 140.12.
- risk 0.42cvss 6.5epss 0.00
Denial-of-service in the Audio/Video: Playback component. This vulnerability was fixed in Firefox 152 and Thunderbird 152.
- risk 0.42cvss 6.5epss 0.00
An issue in the /util/http/prelude.rs endpoint of Datadog, Inc Vector v0.54.0 allows attackers to cause a Denial of Service (DoS) via a crafted request or payload.
- risk 0.42cvss 7.5epss 0.00
Impact: multer versions 1.0.0 through 2.1.1 and 3.0.0-alpha.1 are vulnerable to a Denial of Service via deeply nested field names in multipart form data. The append-field dependency parses bracket notation in field names with no limit on nesting depth, allowing an attacker to…
- risk 0.42cvss 7.5epss 0.01
Axios is a promise based HTTP client for the browser and Node.js. Axios versions before 0.32.0 on the 0.x line and before 1.16.0 on the 1.x line build a regular expression from the configured XSRF cookie name without escaping regex metacharacters. In standard browser…
- risk 0.42cvss 7.5epss 0.01
vLLM versions 0.8.0 and later are vulnerable to an Out-of-Memory (OOM) Denial of Service (DoS) attack due to unbounded frame count processing in the `VideoMediaIO.load_base64()` method. When processing `video/jpeg` data URLs, the method splits the base64 data string on commas to…
- risk 0.42cvss 7.5epss 0.00
libp2p is a JavaScript Implementation of libp2p networking stack. Prior to version 15.0.23, three cooperating omissions in @libp2p/gossipsub allow an unauthenticated single peer to exhaust the Node.js heap of any gossipsub node with default options. This issue has been patched…